Payment Card Industry Data Security Compliance Working Group Project Kickoff March 2006
Agenda Objective Background Project goals Scope Visa Standards Payment Gateways (Verisign) Network Configuration Remediation Strategies Approach Milestones 9/22/2018 PCI Project
PCI Background December 2004 - VISA and MasterCard joined forces to expand their security standards, calling them the Payment Card Industry Data Security Standards (PCIDSS) and releasing version 1.0 of the combined standard 12 technical requirements Impact to policies and procedures, application software, hardware, firewall, network infrastructure and authentication methods Requirement for annual and quarterly audits and networks scanning by certified PCI assessor depending on transaction volume Fines up to $500,000 per incident if credit cards are disclosed and you are not compliant Original compliance date was June 2005 which was unreasonable for most institutions to meet. Our new self-imposed compliance date is December 2006. 9/22/2018 PCI Project
Project Scope Planning Assumptions Leverage existing investment in current 3rd party credit card processor (Verisign) Minimize cost of compliance Cost of compliance will be born by the school/center owning the merchant account This project will be fast tracked to minimize risk and cost Project Organization (see appendix A for org chart) The project will be jointly sponsored by Treasurer’s Office in the Division of Finance, Information Systems and Computing (ISC) and Office of General Council under the leadership of Scott Douglass, Robin Beck and Wendy White. The project will be managed jointly by Michael Harris of the Office of the Executive Vice President and Bill Kasenchar from ISC. A core team from Treasurer’s, EVP, OGC and ISC will work to identify and recommend options to meet compliance and establish policy. A working team represented by schools and centers will vet remediation strategies and aid in the creation and implementation of the recommended solution Every school or center who owns a merchant account must have a representative on the working team UPHS is performing a parallel effort under the direction of Andrew DeVoe (UPHS Treasurer and CFO) 9/22/2018 PCI Project
Visa’s Categorization of Merchants We are currently out of compliance 9/22/2018 PCI Project
Project Goals Achieve PCI compliance across all schools and centers for all of Penn’s active merchant accounts Consolidate or retire low volume merchant accounts Coordinate with Business Services to determine feasibility and project direction for a centralized events/conference service Establish central compliance strategy to reduce cost of compliance and exposure to the University. Create/Edit policies required to support data security standards and PCI compliance Coordinate with Schools or Centers to identify third party business affiliates using Penn merchant accounts (Verisign, Apply Yourself, JSA, etc.) to validate their PCI compliance Validate that any third party payment processor, used in conjunction with online transactions, are PCI compliant 9/22/2018 PCI Project
Scope of Standards These Payment Card Industry (PCI) Data Security Requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data. These security requirements apply to all “system components” which is defined as any Network component include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances Server include, but are not limited to, web, database, authentication, DNS, mail, proxy, and NTP Application included in, or connected to, the cardholder data environment. include all purchased and custom applications, including internal and external (web) applications. 9/22/2018 PCI Project
Data Security Standards Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored data Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes. Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security 9/22/2018 PCI Project
Payment Gateway The payment gateway stores, processes and/or transmits cardholder data Verisign is Penn’s gateway vendor Two basic architectures External from the application Verisign Payflow Link The burden of a secure environment is placed on the gateway vendor Our PCI initiative must ensure that the vendor maintains compliance Integral to the application Verisign Payflow Pro The burden of secure environment is placed on the hosting provider Our PCI initiative must ensure that the hosting facility maintains compliance Reference - Protect Cardholder Data Requirement 3: Protect stored data Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks 9/22/2018 PCI Project
Secure Network Diagram Reference - Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect data 9/22/2018 PCI Project
Proposed Remediation Strategies for Web Based Applications Option 1 – Modify Penn Built or Custom Built Applications PayFlow Link Annual audit still required to maintain compliance Payflow Link provides a means for payment data to be collected outside of Penn Making a switch requires a code change and you have to validate that all historical data is purged Option 2 - Third Party Applications Secure Hosting by vendor Ensure that the vendor is PCI compliant Amend contracts to reflect continued compliance 9/22/2018 PCI Project
Remediation Strategies for Web Based Applications Option 3 – Custom Compliant Hosting at Penn Expensive and forces the most strict adherence to the following requirements Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect data Protect Cardholder Data Requirement 3: Protect stored data Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes. Explore alternative means/vendors to process transactions Determine need to have cardholder data pass through or be stored on a Penn Server Establish business need to host the application in-house Create logistical configuration of compliant hosting environment and estimate cost Relocate the hosted web application and database servers to the secure and compliant network configuration. 9/22/2018 PCI Project
Three Phased Approach Discovery phase Assessment Remediation Identify and retain consulting expertise to provide guidance in the interpretation of the standards and validate our process Establish a working group of stakeholders from schools and centers with active merchant accounts Identify merchant accounts and perform gap/risk analysis to determine risk and priority of remediation efforts. Determine difference in compliance requirements between credit card information collected on-line (online card services) and at point-of-sale (POS) terminals. Develop remediation strategies Assessment Evaluate gaps against remediation strategies and determine course of action for each merchant account Establish infrastructure to execute remediation strategy Identify policies that have to be created or modified to support ongoing data security and PCI standards, including communication and training of personnel. Identify and review third party business affiliates contracts to ensure that they provide documentation of PCI compliance Finalize remediation schedule and milestones Remediation Evaluate and select an authorized PCI compliance auditor for the annual audits Monitor and facilitate remediation efforts across schools and centers per the established schedule Develop and implement data security and PCI standards policies. Create Report on Compliance (ROC) 9/22/2018 PCI Project
Proposed Milestones 9/22/2018 PCI Project
Next Steps Schedule monthly meetings Schools/centers Proposed – last Tuesday of the month 2:30 -4:00 Schools/centers Perform self assessment/gap analysis Identify systems, hardware, infrastructure that is not in compliance across all merchant accounts Modify systems accordingly to ensure that each merchant account is compliant by 10/15 ISC, Treasurer, OGC Review and identify policies that need to be changed/created to support PCI compliance Work with schools/centers in creation of a specification and cost estimate for a custom compliant hosting environment Facilitate gap analysis across schools and centers Vendor Review third party contracts and amend with compliance language Letter to vendors requesting documentation of compliance 9/22/2018 PCI Project
Appendix A – Project Org Chart 9/22/2018 PCI Project